Higher Education

Hi ,

 

I have a question related to a senario,where in i want to push a firewall role (Controller) from Clearpass. I am having a hardtime to understand how we can implement this .

 

For example: I want to block certian type of traffic for a user group . I have created a Firewall rule on controller. when i define a enforcement policy where shall i define this enforcement ? Because in Enforecment profile i dont see any condiction related to pushing a firewall rule .

 

Regards,

MD

 

 

---

@MDTCS wrote:

Hi ,

 

I have a question related to a senario,where in i want to push a firewall role (Controller) from Clearpass. I am having a hardtime to understand how we can implement this .

 

For example: I want to block certian type of traffic for a user group . I have created a Firewall rule on controller. when i define a enforcement policy where shall i define this enforcement ? Because in Enforecment profile i dont see any condiction related to pushing a firewall rule .

 

Regards,

MD

 

 

---

We define the user roles in the controllers and send the Aruba-User-Role VSA from the ClearPass enforcement profile.

 

 

Thanks for the reply Bruce.

What should be the attr value  in this case, plain text Aruba firewall role created in controller ?

 

For example : I have created firewall role as " Block youtube"  ,so my enforcment profile attr would be .

 Type: Radius:Aruba

Name : Aruba-user-role 1

vale : Block youtube

 

Is this correct understanding ?

 

Could you also help me to understand,on what basis we select an appropriate attrb?

 

Appriceate you help

Thanks 

MD

I am assuming you have PEFNG firewall licenses on your controller . The user-role would contain your ACL. If you wish to just block things, you must add the allowall ACL (policy) as the last ACL since there is an implicit denyall in a role which blocks anything.

 If your controller user-role containing your ACLs is named "Block-Youtube" then your ClearPass Enforcement Profile would send back

 

Type   : Radius:Aruba

Name: Aruba-User-Role

Value : Block-Youtube

 

I recommend not using spaces in names on the controller. You can use underscores and dashes instead, just be consistent. 

Also don't forget about downloadable roles from CPPM. That way you can manage the roles in one place and push them to any switch or controller.

 

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_UserGuide/Enforce/EPAruba_Downloadable_Role.htm

 

That requires ClearPass 6.6.7, correct? I do not currently recommend that release.

Our roles have so many ACL lines that downloading them for each user might not be too efficient. I may research this when I have time.

No sir. We have been using downloadble roles for the last four years.

OK, thanks for the correction.

I was just looking at the switch release notes and it requires 6.6.7.

Just to clarify here, the first time a user requires the downloadable role, it is downloaded from ClearPass. Each additional user that requies the same role will use the controller's dowloaded copy of the role unless a change to the role has occured in ClearPass.

 

tl;dr it's not downloaded every time.

Hi Tim,

 

Are you  saying we can create firewall roles/ACls(Downloadable) in clearpass and firstime user will download it from clearpass and controller will also download it . Next time new user will downlaod it from controller?

 

I am not able to understand it correctly.

 

Regards,

MD.

 

 

User Bob is assigned Role A. Version 1 of the role downloads from ClearPass.

User Alice authenticates 5 minutes later and is assigned Role A. This role is still on version 1. It is not redownloaded.

 

Once the last user that is assigned the role disconnects, the role is flushed.

What are some pros|cons of using downloadable roles vs traditionally creating them on the controller?
How many customers are using downloadable roles?


- Ryan -

ClearPass becomes your only role definition point. That is very attractive to many customers.

 

We see much higher usage and interest on the wired side due to the sheer number of switches. With ArubaOS 8.X with Mobility Master, there might not be as big of a need on the wireless side.

We love the fact that once a role is applied to a user (or AD group in our case), the user gets the same role no matter if they are wired or wireless and changes only have to be made in one location.

Sounds like downloadable roles would be perfect for you!

We have multiple masters on our campus and I have wanted to use downloadable roles for some time, but have not done so yet.

Pros I see are having a single point of definition (as Tim points out) for the roles makes it easier to implement changes across all of my controllers.

I don’t use ClearPass for all of the Wi-Fi networks yet (and may never have all of them on ClearPass), so a con would be having to deal with multiple ways of implementing roles and managing them.

Questions that I have had, but have not looked into (or don’t remember the answers to) are:

* What happens when I update the role definition in ClearPass? Do all existing users keep the same rules and only subsequent users get the updated ruleset?
* If the controller already has a role downloaded, how does it know if the role definition on ClearPass and it needs to download a new role?
* How do you look at the characteristics of a downloadable user role from the controller (either Web UI or CLI)?
* In HA pairs, when do backup controllers download the roles? With potentially thousands of users moving from one controller to the other how does ClearPass know to only download the role once since there would be thousands asking at virtually the same time?

A challenge I see is that, with the exception of rebooting controllers, we never have a role with zero users, so to be sure the current role was being sent, I suppose you would have to clear the user tables for users in that role?

Amel Caldwell
University of Washington UW-IT
Wi-Fi Network Engineer
Wi-Fi Service Manager

amelc@uw.edu
206-543-2915

Ask me about open Network Engineer positions on the wireless team.



Amel Caldwell
University of Washington UW-IT
Wi-Fi Network Engineer
Wi-Fi Service Manager

amelc@uw.edu
206-543-2915

Ask me about open Network Engineer positions on the wireless team.

Definitely a neat sounding feature. Amel, you [perhaps inadvertently] outlined the complexity of it beautifully. For me, I have condense our network into 3 masters, and given that user-roles should overall be rather static, I prefer to keep ClearPass out it.

We too have 3 masters and look forward to ArubaOS 8.x to consolidate our configuration into one configuration tree.

Braggadocious! ;) Unfortunately, we exceed single cluster limits and will continue to have multiple points of configuration. Not a bad thing though. Know what they say about [wifi] eggs in one basket…

Scalability is an issue many times.

I suspect your network is larger than most HPE customers but we thank you for stressing the products to their limit, improving them.

☺ I assume you mean stressing ourselves. :-P